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Abstract 


The  highly-publicized  division  error  in  the  Pentium  has  emphasized  the  importance  of  formal 
verification  of  arithmetic  operations.  Symbolic  model  checking  techniques  based  on  binary 
decision  diagrams  (BDDs)  have  been  successful  in  verifying  control  logic.  However,  lack  of 
proper  representation  for  functions  that  map  boolean  vectors  into  integers  has  prevented 
this  technique  from  being  used  for  verifying  arithmetic  circuits. 

We  have  used  hybrid  decision  diagrams  to  represent  the  integer  functions  that  occur  in 
the  arithmetic  circuit  verification.  For  the  state  variables  corresponding  to  data  bits,  our 
representation  behaves  like  a  binary  moment  diagram  (HMD)  while  for  the  state  variables 
corresponding  to  control  signals,  it  behaves  like  a  multi-terminal  HDD  (MTBDD).  By  using 
this  representation,  we  are  able  to  handle  circuits  with  both  control  logic  and  wide  data 
paths. 

We  have  extended  the  symbolic  model  checking  system  SMV  so  that  it  can  also  handle 
properties  involving  relationships  among  data  words.  In  the  original  SMV  system,  atomic 
formulas  could  only  contain  state  variables.  In  the  extended  system,  we  allow  atomic  for¬ 
mulas  to  be  equations  or  inequalities  between  expressions  as  well.  These  expressions  are 
represented  as  hybrid  decision  diagrams. 

The  extended  model  checking  system  enables  us  to  verify  circuits  for  division  and  square 
root  computation  that  are  based  on  the  SRT  algorithm  used  by  the  Pentium.  We  are  able 
to  handle  both  the  control  logic  and  the  data  paths.  The  total  number  of  state  variables 
exceeds  600  (which  is  much  larger  than  any  circuit  previously  checked  by  SMV). 


1.  Introduction 


Proving  the  correctness  of  arithmetic  operations  has  always  been  an  important  problem.  The 
importance  of  this  problem  has  been  recently  emphasized  by  the  highly-publicized  division 
error  in  the  Pentium.  In  order  to  verify  such  circuits,  it  is  necessary  to  represent  and 
manipulate  functions  that  map  boolean  vectors  to  integer  values.  In  this  paper,  we  describe 
how  to  represent  and  manipulate  such  functions  efficiently  using  Multi- Terminal  Binary 
Decision  Diagrams  (MTBDDs)  [8].  An  MTBDD  is  like  an  ordinary  Binary  Decision  Diagram 
(BDD)[3]  except  that  the  terminal  nodes  can  be  arbitrary  integer  values  instead  of  just  0 
and  1.  We  have  also  investigated  a  technique  for  representing  such  integer  valued  functions 
by  BDD  arrays.  Unfortunately,  both  representations  have  problems  when  they  are  used 
for  verifying  arithmetic  circuits.  For  the  functions  that  arise  in  this  type  of  application,  the 
number  of  possible  values  is  exponential  in  the  number  of  bits.  Therefore,  the  MTBDDs  also 
have  exponential  size.  Since  the  BDD  size  for  the  middle  bit  of  a  combinational  multiplier 
is  exponential  in  the  length  of  its  operands,  the  BDD  array  representation  is  exponential  for 
multiplication.  Moreover,  arithmetic  operations  on  BDD  arrays  are  very  expensive. 

Bryant  and  Chen  have  developed  another  representation  called  the  Binary  Moment  Dia¬ 
gram  (BMD)[4].  They  use  the  expansion  /  =  /|a;=o  +  xf,  where  f  is  equal  to  /|^=i  -  f\x=o, 
instead  of  the  Shannon  expansion.  This  gives  a  compact  representation  for  certain  functions 
that  have  exponential  size  MTBDDs.  They  have  used  this  word  level  representation  to  verify 
the  data  paths  of  some  arithmetic  circuits.  The  BMD  representation  for  both  the  circuit 
and  the  specification  are  constructed  and  compared.  The  circuit  is  correct  if  both  BMDs  are 
exactly  the  same.  However,  depending  on  the  implementation  and  the  control  logic,  there 
can  be  cases  in  which  the  circuit  is  correct  but  the  BMDs  are  not  identical.  Another  problem 
is  that  this  approach  cannot  handle  inequalities.  Thus,  it  is  impossible  to  check  some  of  the 
properties  that  are  needed  in  order  to  avoid  the  Pentium  error. 

We  first  show  that  the  BMD  of  a  function  is  the  MTBDD  that  results  from  applying 
the  inverse  Reed-Muller  transformation  [12]  to  the  function.  The  transformation  can  be 
computed  using  the  techniques  that  we  have  previously  developed  for  manipulating  large 
matrices  [8].  The  transformation  matrix  in  this  case  is  the  Kronecker  product  [2]  of  a 
number  of  identical  2x2  matrices.  We  show  that  the  Kronecker  products  of  other  2x2 
matrices  behave  in  a  similar  way.  In  fact,  the  transformations  obtained  from  Kronecker 
products  of  other  matrices  will  in  many  cases  be  more  concise  than  the  BMD.  We  have 
further  generalized  this  idea  so  that  the  transformation  matrix  can  be  the  Kronecker  product 
of  different  matrices.  In  this  way,  we  obtain  a  representation,  called  the  Hybrid  Decision 
Diagram  (HDD),  that  is  more  concise  than  either  the  MTBDD  or  the  BMD.  In  addition  to 
algorithms  for  performing  arithmetic  operations,  we  have  developed  an  efficient  algorithm  to 
compute  the  set  of  variable  assignments  that  satisfy  an  arithmetic  relation.  For  the  class  of 
linear  functions,  which  includes  many  of  the  functions  that  occur  in  practice,  such  operations 
are  guaranteed  to  have  complexity  that  is  polynomial  in  the  width  of  the  data  words. 

Our  representation  for  functions  that  map  boolean  vectors  into  the  integers  enables  us 
to  extend  temporal  logic  model  checking  [6,  7]  so  that  it  can  handle  arithmetic  circuits.  In 
traditional  model  checking  systems,  specifications  are  expressed  in  a  propositional  temporal 
logic,  and  circuit  designs  and  protocols  are  modeled  as  state-transition  systems.  An  efficient 
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search  procedure  is  used  to  determine  automatically  if  the  specifications  are  satisfied  by  the 
transition  systems.  The  main  disadvantage  of  this  approach  is  the  state  explosion  which  can 
occur  if  the  system  being  verified  has  many  components  that  can  make  transitions  in  parallel. 
Recently,  the  size  of  the  transition  systems  that  can  be  verified  by  model  checking  techniques 
has  increased  dramatically  because  of  the  use  of  BDDs  [5].  Although  such  symbolic  model 
checking  techniques  have  been  successful  in  verifying  control  logic,  these  techniques  cannot 
be  directly  used  for  verifying  arithmetic  circuits. 

One  of  the  main  reasons  that  the  symbolic  model  checking  systems  cannot  handle  arith¬ 
metic  circuits  is  the  lack  of  a  concise  representation  for  expressions  that  involve  words  with 
integer  values.  We  have  used  hybrid  decision  diagrams  to  represent  the  integer  functions 
that  occur  in  the  arithmetic  circuit  verification.  For  the  state  variables  corresponding  to 
data  bits,  our  representation  behaves  like  a  BMD  while  for  the  state  variables  corresponding 
to  control  signals,  it  behaves  like  an  MTBDD.  By  using  this  representation,  we  are  able  to 
handle  circuits  with  both  control  logic  and  wide  data  paths.  We  have  extended  the  symbolic 
model  checking  system  SMV  [11]  so  that  it  can  also  handle  properties  involving  relationships 
among  data  words.  In  the  original  SMV  system,  atomic  formulas  could  only  contain  state 
variables.  In  the  extended  system,  we  allow  atomic  formulas  to  be  equations  or  inequalities 
between  expressions  as  well.  These  expressions  are  represented  as  hybrid  decision  diagrams. 

In  the  word  level  model  checking  system,  propositions  denoting  nodes  in  circuits  are  repre¬ 
sented  as  BDDs  and  are  computed  in  exactly  the  same  way  as  in  the  original  symbolic  model 
checking  system.  Words  are  arrays  of  propositions,  each  of  which  corresponds  to  a  single 
bit.  Expressions  are  composed  of  arithmetic  operations  applied  to  words.  Hybrid  decision 
diagrams  can  be  computed  for  words  and  expressions  using  the  algorithms  for  arithmetic 
operations.  Atomic  formulas  can  be  relations  between  expressions,  and  their  BDD  repre¬ 
sentations  can  be  computed  by  the  algorithm  that  handles  arithmetic  relations.  After  the 
BDD  representations  for  the  atomic  formulas  are  generated,  the  BDDs  for  static  formulas 
and  temporal  formulas  are  computed  in  the  same  way  as  in  ordinary  model  checking.  In 
particular,  the  fixpoint  computations  are  exactly  the  same  in  both  cases. 

By  using  the  word  level  model  checking  system,  we  have  successfully  verified  circuits  for 
division  and  square  root  computation  that  are  based  on  the  SRT  algorithm  used  by  the 
Pentium.  We  are  able  to  handle  both  the  control  logic  and  the  data  paths.  All  of  the 
states  in  the  finite  state  machine  for  the  control  logic  have  been  verified.  Moreover,  we  have 
proved  invariant  properties  that  guarantee  the  correctness  of  the  data  values  and  prevent 
overflows.  The  total  number  of  state  variables  exceeds  600  (which  is  much  larger  than  any 
circuit  previously  checked  by  SMV). 

This  paper  is  organized  as  follows:  In  Section  2,  we  discuss  different  techniques  for  rep¬ 
resenting  functions  that  map  boolean  vectors  into  the  integers.  In  Section  3,  we  give  the 
logic  that  is  used  for  specifying  the  properties  involving  the  data  values.  In  this  section,  we 
also  describe  how  formulas  can  be  represented  by  a  special  class  of  hybrid  decision  diagrams. 
In  Sections  4  and  5  algorithms  for  handling  arithmetic  operations  and  arithmetic  relations 
are  given.  Section  4  gives  the  algorithms  for  computing  addition,  multiplication  and  the 
if-then-else  operation  for  this  representation.  Section  5  gives  an  algorithm  that  com¬ 
putes  the  BDD  representation  for  the  set  of  variable  assignments  that  satisfy  an  equation  or 
an  inequality.  In  Section  6,  we  discuss  how  the  word  level  model  checking  is  performed.  We 
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illustrate  the  power  of  our  technique  in  Section  7  by  showing  how  word  level  model  checking 
can  be  used  to  verify  a  division  circuit  based  on  the  radix-4  SRT  algorithm  that  is  similar  to 
the  one  used  by  the  Pentium.  The  paper  concludes  in  Section  8  with  a  discussion  of  possible 
future  research  directions. 

2.  Hybrid  Decision  Diagrams 

Ordered  binary  decision  diagrams  (BDDs)  are  a  canonical  representation  for  boolean  for¬ 
mulas  proposed  by  Bryant  [3].  They  are  often  substantially  more  compact  than  traditional 
normal  forms  such  as  conjunctive  normal  form  and  disjunctive  normal  form.  They  can  also 
be  manipulated  very  efficiently.  Hence,  BDDs  have  become  widely  used  for  a  variety  of 
CAD  applications,  including  symbolic  simulation,  verification  of  combinational  logic  and, 
more  recently,  verification  of  sequential  circuits. 

A  BDD  is  similar  to  a  binary  decision  tree,  except  that  its  structure  is  a  directed  acyclic 
graph  rather  than  a  tree,  and  there  is  a  strict  total  order  placed  on  the  occurrence  of 
variables  as  one  traverses  the  graph  from  root  to  leaf.  Algorithms  of  linear  complexity  exist 
for  computing  BDD  representations  of  ->f  and  fVg  from  the  BDDs  for  the  formulas  /  and  g. 

Let  /  :  B'"  Z  he  a  function  that  maps  boolean  vectors  of  length  m  into  integers. 
Suppose  ni, . . .  ,niv  are  the  possible  values  of  /.  The  function  /  partitions  the  space 
of  boolean  vectors  into  N  sets  {Si,  ■  ■  • ,  Sjvj,  such  that  -S'*-  =  {  x  |  f(x)  =  rii}.  Let  fi  be 
the  characteristic  function  of  Si,  we  say  that  f  is  in  normal  form  if  f{x)  is  represented  as 
IZili  fi{^)  '  ‘‘T'i-  This  sum  can  be  represented  as  a  BDD  with  integers  as  its  terminal  nodes. 
We  call  such  DAGs  Multi-Terminal  BDDs  (MTBDDs)  [8,  1]. 

Let  /  :  Z  he  a  function  that  maps  boolean  vectors  of  length  m  into  integers. 

Suppose  ni, . . .  ,niv  are  the  possible  values  of  /.  The  function  /  partitions  the  space 
of  boolean  vectors  into  N  sets  {S*!,  •  •  • ,  S'tv},  such  that  S'i  =  {  s  |  f{x)  =  ni}.  Let  fi  be 
the  characteristic  function  of  Si,  we  say  that  /  is  in  normal  form  if  f{x)  is  represented  as 
fi{^)  •  This  sum  can  be  represented  as  a  BDD  with  integers  as  its  terminal  nodes. 
We  call  such  DAGs  Multi- Terminal  BDDs  (MTBDDs)  [8,  1]. 

Any  arithmetic  operation  ©  on  MTBDDs  can  be  performed  in  the  following  way.  There  is 
an  efficient  algorithm  that  computes  the  operation  in  time  linear  to  the  sizes  of  the  MTBDDs 
of  both  operands. 

h{x)  =  f{x)Qg{x) 

N  N' 

i=l  i=l 

N  N' 

=  J2J2  Q  n}) 

i=l  j=l 

=  V 

A:=l  niOnj=n'^ 

Functions  that  map  boolean  vectors  into  the  integers  can  also  be  represented  as  arrays 


of  BDDs.  These  BDDs  have  boolean  values  and  each  corresponds  to  one  bit  of  the  binary 
representation  of  the  function  value.  In  general,  it  is  quite  expensive  to  perform  operations 
using  this  representation. 

Let  M  be  a  2^  X  2^  matrix  over  Z.  It  is  easy  to  see  that  M  can  be  represented  as  a 
function  M  :  5*+^  — ^  Z,  such  that  Mij  —  M{x,y),  where  x  is  the  bit  vector  for  i  and  y  is 
the  bit  vector  for  j.  Therefore,  matrices  with  integer  values  can  be  represented  as  integer 
valued  functions  using  the  representation  shown  above.  We  can  also  perform  various  matrix 
operations  using  our  MTBDD  representation.  In  particular,  matrix  multiplication  can  be 
computed  in  the  following  way:  Suppose  that  two  matrices  A  and  B  have  dimensions  2*  x  2* 
and  2'  x  2”^,  respectively.  Let  C  =  A  x  B  he  the  product  of  A  and  B,  then  C  will  have 
dimension  2*^  x  2™.  If  we  treat  A  and  B  as  integer- valued  functions,  we  can  compute  the 
product  matrix  C  as 

y 

where  means  “sum  over  all  possible  assignments  to  y”.  Although  this  operation  works 
well  in  many  cases,  the  worst  case  complexity  can  be  exponential  in  the  number  of  variables. 

Recently,  Bryant  and  Chen[4]  have  developed  a  new  representation  for  functions  that 
map  boolean  vectors  to  integer  values.  This  representation  is  called  the  Binary  Moment 
Diagram  (BMD)  of  the  function.  Instead  of  the  Shannon  expansion  /  =  x/i  +  (1  —  a;)/o, 
they  use  the  expansion  f  =  fo  +  xf,  where  f  is  equal  to  fi-fo-  After  merging  the  common 
subexpressions,  a  DAG  representation  for  the  function  is  obtained.  They  prove  in  their 
paper  that  this  gives  a  compact  representation  for  certain  functions  which  have  exponential 
size  if  represented  by  MTBDDs  directly. 

There  is  a  close  relationship  between  this  representation  and  the  inverse  Reed-Muller 
transformation  [12].  The  matrix  for  the  inverse  Reed-Muller  transformation  is  defined  re¬ 
cursively  by 


which  has  a  linear  MTBDD  representation.  Let  i  6  be  the  binary  representation  of 
integer  0  <  z  <  2”.  A  function  /  :  — >  iV  can  be  represented  as  a  column  vector 

where  the  value  of  the  ith  entry  is  f{i).  We  will  not  distinguish  between  a  function  and  its 
corresponding  column  vector.  The  inverse  Reed-Muller  transformation  can  be  obtained  by 
multiplying  the  transformation  matrix  and  the  column  vector  f  =  S  x  f  using  the  technique 
described  in  previous  section. 

Theorem  1  The  MTBDD  of  f  is  isomorphic  to  the  BMD  of  f. 

Proof:  The  theorem  is  easy  to  prove  by  induction  on  the  number  of  variables. 

Base  Case:  If  the  number  of  variables  is  0,  the  function  is  a  constant  and  f  =  f .  Both  the 
MTBDD  of  /  and  the  BMD  for  /  are  terminal  nodes  and  therefore  isomorphic. 

Induction  Step:  Let  /  :  N.  The  roots  of  both  the  BMD  for  /  and  the  MTBDD 

for  /  are  a;„.  The  left  child  of  the  root  of  the  BMD  for  /  is  the  BMD  for  /|a;„=o,  while 
the  right  child  is  the  BMD  for  /|a;„=i  -  /U„=o-  When  /  is  represented  as  a  column  vector, 
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the  upper 
(  Sn-l 
[  -Sn-1 


half  is  f\xn=o  and  the  bottom  half  is  f\x„=i-  The  inverse  Reed-Muller  matrix  is 
I .  The  result  of  the  transformation  is  therefore: 

•Jn-l  / 


/  Sn-T.  0  ^  y.  f\o:n=0  \  —  f  Sn-1  ^  f\x„=0 

[  -Sn-1  Sn-1  )  [  fU„=l  )  \  Sn-1  X  (/|.„=i  -  f\xn=o) 


If  this  vector  is  represented  by  MTBDD,  the  left  child  is  the  MTBDD  for  the  inverse  Reed- 
Muller  transform  of  /|a:„=o  and  the  right  child  is  the  MTBDD  for  the  inverse  Reed-Muller 
transform  of  f\xn=i  ~  f\x„=o-  By  induction  hypothesis,  both  children  are  isomorphic  to  the 
children  of  the  root  of  the  BMD  for  /.  Therefore  the  BMD  of  /  is  isomorphic  to  the  MTBDD 
for  /.  Q 


The  inverse  Reed-Muller  matrix  can  be  represented  as  the  Kronecker  product  [2]  of  n 
identical  2x2  matrices; 


0 

Sn—1  Sn—1 


1  0 

-1  1 


®  Sn—1 


n 


The  inverse  Reed-Muller  transformation  is  not  unique  in  this  respect.  Other  transfor¬ 
mations  that  are  defined  as  Kronecker  products  of  2  x  2  matrices  may  also  provide  concise 
representations  for  functions  mapping  boolean  vectors  into  integers.  In  fact,  the  Kronecker 
product  of  any  non-singular  2x2  matrices  can  be  used  as  a  transformation  matrix  and  will 
produce  a  canonical  representation  for  the  function.  Moreover,  if  the  transformation  matrix 
is  a  Kronecker  product  of  different  2x2  matrices,  we  still  have  a  canonical  representation  of 
the  function.  We  call  transformations  obtained  from  such  matrices  hybrid  transformations. 

A  similar  strategy  has  been  tried  by  Becker  [10].  However,  his  technique  only  works 
for  the  boolean  domain.  When  using  his  technique,  all  of  the  transformation  matrices,  the 
original  function  and  the  resulting  function  must  have  boolean  values.  Our  technique,  on 
the  other  hand,  works  over  the  integers.  By  allowing  integer  values,  we  can  handle  a  wider 
range  of  functions.  Moreover,  we  can  obtain  larger  reduction  factors  since  we  have  more 
choices  for  transformation  matrices. 

We  can  apply  this  idea  to  reduce  the  size  of  the  BDD  representation  of  the  functions. 
Since  there  is  no  known  polynomial  algorithm  to  find  the  hybrid  Kronecker  transformation 
that  minimizes  BDD  size,  we  use  a  greedy  algorithm  to  reduce  the  size.  If  we  restrict  the 
entries  in  the  matrix  to  the  set  {0,1,— 1},  then  there  are  six  matrices  we  can  try.  For 
each  variable,  we  select  the  matrix  that  gives  the  smallest  BDD  size.  The  BDDs  obtained 
from  such  transformations  are  called  Hybrid  Decision  Diagrams  (HDDs).  We  have  tried  this 
method  on  the  ISCAS85  benchmark  circuits.  In  some  cases  we  have  been  able  to  reduce  the 
size  of  the  BDD  representation  by  a  factor  of  1300.  However,  reductions  of  this  magnitute 
usually  occur  when  the  original  function  has  a  bad  variable  ordering.  If  dynamic  variable 
ordering  is  used,  then  our  method  gives  a  much  smaller  reduction  factor. 
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3.  The  Logic 


Symbolic  model  checking  techniques  based  on  Binary  Decision  Diagrams  (BDDs)  have  been 
successful  in  verifying  control  logic  [5].  However,  lack  of  proper  representation  for  functions 
that  map  boolean  vectors  into  integers  has  prevented  this  technique  from  being  used  for 
verifying  arithmetic  circuits.  We  have  experimented  with  the  different  representations  that 
are  introduced  in  previous  sections.  Unfortunately,  there  are  fundamental  problems  with 
applying  either  the  MTBDD  or  the  BDD  array  representations  for  verification  of  arithmetic 
circuits.  For  the  functions  that  arise  in  this  type  of  application,  the  number  of  possible  values 
is  exponential  in  the  number  of  bits.  Therefore,  the  MTBDDs  also  have  exponential  size. 
On  the  other  hand,  arithmetic  operations  on  BDD  arrays  are  very  expensive.  In  particular, 
since  the  BDD  size  for  the  middle  bit  of  a  combinational  multiplier  is  exponential  in  the 
length  of  its  operands,  the  BDD  array  representation  is  exponential  for  multiplication. 

Bryant  and  Chen  [4]  have  shown  that  the  BMD  gives  a  compact  representation  for  certain 
functions  that  have  exponential  size  MTBDDs.  They  have  used  this  representation  to  verify 
the  data  paths  of  some  arithmetic  circuits.  They  are  able  to  conclude  that  a  circuit  is  correct 
if  the  BMDs  for  the  circuit  and  the  specification  are  exactly  the  same.  However,  depending 
on  the  implementation  and  the  control  logic,  there  can  be  cases  in  which  the  circuits  are 
correct  but  the  BMDs  are  not  identical.  Moreover,  since  their  technique  cannot  handle 
inequalities,  it  is  impossible  to  check  some  of  the  properties  that  are  needed  in  order  to 
avoid  the  Pentium  error. 

We  have  used  hybrid  decision  diagrams  to  represent  the  integer  functions  that  occur  in 
the  arithmetic  circuit  verification.  In  particular,  for  the  state  variables  corresponding  to  data 
bits,  we  use  the  inverse  Reed-Muller  transform  while  for  the  state  variables  corresponding  to 
control  signals,  we  use  the  identity  transform.  Therefore,  for  data  variables,  this  representa¬ 
tion  behaves  like  a  BMD  while  for  control  variables,  it  behaves  like  a  MTBDD.  By  using  this 
representation,  we  are  able  to  handle  circuits  with  both  control  logic  and  wide  data  paths. 
Since  this  representation  is  a  special  case  of  the  hybrid  decision  diagrams,  all  the  algorithms 
mentioned  in  previous  sections  can  be  applied. 

By  using  this  representation,  we  have  extended  the  symbolic  model  checking  system 
SMV  [11]  so  that  it  can  also  handle  properties  involving  relationships  among  data  words.  In 
the  original  SMV  system,  atomic  formulas  can  only  contain  state  variables.  In  the  extended 
system,  we  allow  atomic  formulas  be  equations  or  inequalities  between  expressions  as  well. 
These  expressions  are  represented  as  hybrid  BDDs.  The  logic  that  we  use  is  the  follows: 

•  Atomic  propositions:  Ap  —  {pi, . . .  ,pfc} 

•  Propositional  formulas:  Prop  ::=  Ap  \  Prop  A  Prop  \  -'Prop 

•  Words:  Word  ::=  {Prop,  Prop, . . . ,  Prop) 

•  Expressions: 

Exp  ::=  Constant  |  Word  \  iiext{Word)  \  Exp  Q  Exp  ]  ii  SF  then  Exp  else  Exp, 
where  ©  can  be  -h,  — ,  or  x. 

•  Atomic  Formulas:  AF  ::=  Ap  |  {A  |  E}{Exp  ~  Exp),  where  ~  can  be  =,  <,  or  <. 
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•  Static  Formulas:  SF  AF  \  SF  A  SF  \  -'SF 

•  Temporal  Formulas:  TF  ::=  SF  \  TF  ATF  \  -^TF  |  AXTF  |  {A  |  EjiTT  U  TF] 
A  model  is  given  by: 

•  States:  S  —  2^"^ . 

•  Transition  relation:  R  C  S  x  S 

•  Initial  states:  So  Q  S 

•  Valuation  mapping  for  atomic  propositions  V  :  Ap  x  5  — >  {0, 1} 

The  semantics  for  the  logic  is  given  by: 

•  Propositional  formula  interpretation:  P  :  Prop  x  5”  {0, 1} 

P{pi,s)  =  V{pi,sy,  P(/iA/2)  =  P(/i,3)AP(/2,5);  P{^f,s)  =  ^P{f,s) 

•  Word  interpretation:  W  :  Word  x  S  N 

i=0 

•  Expression  interpretation:  E  :  Exp  xS  xS  ^  N.  In  the  following,  s'  is  needed  because 
it  is  possible  to  have  the  next  state  value  of  a  word  in  an  expression. 

E{ei  0  62,  s,  s')  =  E{ei,  s,  V)  0  E{e2,  s,  s') 

E(i{  f  then  Ci  else  e2,s,s')  =  if  (s  |=  /)  then  E{ei,s,s')  else  E{e2iS,s') 
E{w,s,s')  =  W{'w,s) 

E{next(w),s,s')  =  IF(?n,  5') 

•  Atomic  formula  interpretation.  Because  of  the  nondeterministic  behavior  of  the  sys¬ 
tem,  there  can  be  more  than  one  possible  next  state  for  a  given  state.  Therefore,  a 
path  quantifier  is  needed  in  order  to  quantify  over  the  next  state  that  appears  in  the 
semantics  of  the  expressions. 

s  Pi  ^  V{pi,s)  =  1 

s  A(ei  ~  62)  Ws'.R{s,  s')  — >  E{ei,s,  s')  ~  E{e2,s,s') 
s  [=  E(ei  ~  62)  <=>  3s'.R{s^  s')  A  E(ei,  s,  s')  ~  E(e2,  s,  s') 

•  The  semantics  of  SF  and  TF  are  the  same  as  in  CTL. 

This  logic  can  naturally  be  divided  into  three  layers.  The  top  layer  contains  atomic 
formulas,  static  formulas  and  temporal  formulas.  The  second  layer  contains  words  and 
expressions.  The  third  layer  contains  atomic  propositions  and  propositional  formulas.  All 
of  the  objects  in  the  top  and  bottom  layers  are  boolean  functions  while  the  objects  in  the 
second  layer  are  functions  that  map  boolean  vectors  into  the  integers.  Therefore,  in  the  word 
level  model  checking  system,  all  of  atomic  propositions,  propositions,  atomic  formulas,  static 
formulas  and  temporal  formulas  are  represented  as  BDDs;  while  words  and  expressions  are 
represented  as  hybrid  decision  diagrams. 
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4.  Arithmetic  operations  on  hybrid  decision  diagrams 


In  order  to  be  able  to  perform  model  checking  on  the  logic  discussed  in  the  previous  section,  it 
is  desirable  to  implement  various  operations  on  hybrid  decision  diagrams.  We  consider  scalar 
multiplication,  addition  and  multiplication  of  two  functions,  and  the  if-then-else  operation. 
Although  we  only  discuss  a  special  kind  of  hybrid  decision  diagrams  in  this  and  the  following 
section,  similar  algorithms  exist  for  handling  general  hybrid  decision  diagrams  as  well.  As 
discussed  in  the  previous  section,  we  use  a  uniform  hybrid  transformation  for  all  functions. 
Let  the  transformation  matrix  be  H. 

We  use  f  to  denote  the  result  after  applying  the  hybrid  transformation  to  a  function  /. 
Scalar  multiplication  is  simple  to  perform. 


{c-fy  =  Hx{c-f)  =  c-{Hxf)  =  c-f 


Finding  the  sum  of  two  function  is  also  simple. 

if  +  gy  =  Hx{f  +  g)  =  Hxf  +  Hxg  =  f  +  g' 

Next,  we  consider  how  to  perform  multiplication.  Let  the  top  level  variable  is  Xi.  Suppose 


f  9' 


Figure  1:  BDDs  for  f  and  g' 


if -9)' 

Figure  2:  BDD  of  (/  •  g)' 

/',  g'  are  shown  in  Figure  1,  and  the  resulting  function  {f  •  g)'  is  shown  in  Figure  2.  There 
are  two  possibilities.  If  Xi  is  a  control  signal,  the  identity  transformation  is  used  at  this  level. 
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Then 


(/  •  g)'i  =  if  ■  9y\xi=o  =  {f\x.=o  ■  5'Ui=o)'  =  (//  •  gi)' 

if  ■  g)r  =  if  ■  gy\xi=l  =  {f\xi=l  ■  g\xi=iy  =  {fr  •  gr)' 

When  Xi  is  a  data  bit,  the  inverse  Reed-Muller  transformation  is  used  at  this  level.  In  this 
case,  the  computation  is  more  complicated. 

{f-gy  =  if  ■  g)' \x.=o  =  if  \xi=o  ■  gUi^o)' =  if i  ■  gi)' 
if  ■  ^)r  =  (/  •  gy\x.=i  -  if  ■  gy\xi=:o 

~  {f\xi=l'g\xi=l)  ~  (/|a:i=0  ■  5'Ui=o)  . 

=  {{fi  +  fr)  ■  (gi  +  gr))'  -  {fi  ■  gi)' 

—  {fr  •  gi)'  +  {fl  •  gr)'  +  {fr  '  gr)' 

Since  both  (/  •  ^f);  and  (/  •  g){  can  be  computed  in  term  of  (//  •  gi)',  (/;  •  gr)',  {fr  ■  gi)' ,  and 
{fr  •  gr)'  1  we  can  compute  the  transformation  of  the  product  in  a  recursive  manner.  If  we 
store  these  intermediate  results,  the  total  number  of  recursive  calls  to  compute  (/  •  g)'  will 
be  at  most  |/'||5f'|.  Because  of  the  additions  that  are  needed  in  the  computation,  the  worst 
case  complexity  can  still  be  exponential.  However,  in  practice,  this  algorithm  works  quite 
well. 

Likewise,  the  recursive  computation  of  the  if-then-else  operation  can  be  given  as  follows. 
If  the  top  variable  Xi  is  a  control  signal, 

(if  c  then  /  else  gfi  =  (if  c\r;i=o  then  fi  else  gi)' 

(if  c  then  /  else  g)'^  =  (if  c|a;.=i  then  fr  else  gr)' 

When  Xi  is  data  bit. 


(if  c  then  /  else  g)'i  =  (if  c\xi=o  then  fi  else  gi)' 

(if  c  then  /  else  g)'^  = 

(if  c\^i=i  then  f  else  gi)'  +  (if  c|a;,=i  then  fr  else  gr)'  -  (if  c\xi=o  then  ft  else  gi)' 

5.  Equations  and  inequalities 

Model  checking  for  word  level  properties  also  requires  computing  the  set  of  assignments  that 
satisfy  fi  ~  /2,  where  ~  can  be  one  of  =,  <,<,>,  or  >.  Finding  the  set  of  assignments 

that  satisfy  an  inequality  can  be  reduced  to  the  problem  of  finding  the  set  of  assignments  that 
make  a  function  /  positive.  Equations  can  be  handled  in  a  similar  manner.  A  straightforward 
way  of  solving  the  problem  is  to  convert  /  to  an  MTBDD  and  then  pick  the  terminal  nodes 
with  the  correct  sign.  However,  this  does  not  work  very  well  in  general,  because  some 
functions  have  MTBDDs  with  exponential  size  but  hybrid  BDDs  of  polynomial  size.  For 
example,  let  /i  =  YfiLo  h  =  I2JLo  2/j2A  Bofh  of  these  functions  and  their  difference 

have  linear  size  HMDs.  The  BDD  for  the  set  of  assignments  satisfying  /i  —  /2  >  0  also  has 
linear  size.  But  the  MTBDD  size  for  fi  —  f^  is  exponential. 
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We  have  developed  an  algorithm  that  can  substantially  reduce  the  cost  for  computing 
arithmetic  relations  between  certain  functions.  Suppose  that  we  want  to  compute  the  set 
of  assignments  that  satisfies  /  >  0.  Each  branch  in  the  hybrid  decision  diagram  for  / 
corresponds  to  a  subset  of  variable  assignments.  If  the  maximum  value  of  a  branch  is  less 
than  or  equal  to  0,  then  none  of  the  assignments  in  this  branch  satisfy  the  inequality.  If  the 
minimum  value  of  a  branch  is  greater  than  0,  then  all  assignments  in  this  branch  satisfy  the 
inequality.  In  both  cases,  we  avoid  checking  the  signs  of  the  individual  assignments  in  the 
branch. 

To  obtain  a  good  algorithm  for  this  problem,  it  is  important  to  be  able  to  compute  upper 
and  lower  bounds  for  a  branch  in  an  HDD.  An  algorithm  for  this  purpose  is  given  below.  If 
the  intermediate  results  are  stored,  the  algorithm  takes  time  linear  in  the  number  of  HDD 
nodes. 

bound_values(f ,  upper,  lower) 
begin 

if(f  is  terminal  node) 
upper  =  lower  =  f. value; 

if (Top  level  is  BMD) 

lower  =  min(lower(left(f)) ,  lower (left (f))  +  lower(right(f))) ; 
upper  =  max (upper ( 1 ef t (f )) ,  upper (left (f))  +  upper (right (f ))) ; 
else 

lower  =  min(lower(left(f)) ,  lower(right(f))) ; 
upper  =  max(upper(left(f)) ,  upper(right(f))) ; 

end 

The  improved  algorithm  for  computing  the  HDD  for  the  set  of  assignments  that  make  the 
function  f  positive  is  given  below.  A  similar  algorithm  is  used  to  find  the  set  of  assignments 
that  make  a  function  zero. 

bdd  greater_than_0(f ) 
begin 

if(f  is  terminal  node) 

if (f. value  >  0)  return (True) ; 
else  return (False) ; 

bound_values (f ,  upper,  lower); 
if (upper  <=  0)  return (False) ; 
if (lower  >  0)  return (True) ; 

left  =  greater_than_0(left(f)) ; 
if (top  level  is  BMD) 

right  =  greater_than_0(left(f)  +  right(f)); 
else 
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right  =  greater_than_0 (right (f )) ; 
return (hdd_if_then_else (level (f) ,  left,  right)); 
end 

The  improved  algorithm  works  extremely  well  for  verification  of  arithmetic  circuits.  The 
following  theorem  guarantees  the  efficiency  of  this  algorithm  for  the  set  of  linear  expressions. 
Most  of  the  formulas  that  occur  during  the  verification  of  the  SRT  division  algorithm  are 
in  this  class.  These  expressions  have  the  form  /  =  where  fi  = 

1  <  i  <  m  and  the  Ci’s  are  integer  constants.  Suppose  all  variables  are  data  variables, 
then  the  Hybrid  Decision  Diagrams  are  identical  to  HMDs.  We  use  the  variable  ordering 

•  •  •  5  •  •  •  )  ^10;  ^20;  •  *  *  ?  ^mO*  BecaUSe  f\xij=l  f\xij=Q  i®  ^  COUStant,  the 

HDD  for  /  is  shown  in  Figure  3. 


Figure  3:  BMD  for  YT=i  ^ifi 


Lemma  1  The  number  of  recursive  calls  to  the  great er_th2Ln_0  procedure  for  computing 
the  BDD  for  f  at  each  level  cannot  exceed  kil)- 


Proof:  Suppose  we  consider  the  recursive  calls  to  the  BMD  nodes  that  has  Xij  as  the  top 
variable.  The  inverse  transformation  matrix  for  BMD  nodes  is  the  2x2  Reed-Muller  matrix 


1  0 
1  1 


Thus,  the  recursive  calls  in  the  procedure  greater_than_0  apply  to  either  the  left 


child  or  the  sum  of  both  children.  The  BMD  nodes  that  are  recursively  called  with  Xij  as  top 
variable  must  be  the  sum  of  the  sub-BMD  in  Figure  3  with  top  variable  Xij  and  some  of  the 
right  children  of  ancestors  of  the  sub-BMD.  The  right  children  of  all  of  the  ancestor  nodes 
of  this  sub-BMD  are  constant  nodes  with  the  value  Cfc2^  where  1  <  A;  <  m  and  I  >  j.  The 
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d2' 


Figure  4:  BMD  nodes  explored  at  level  Xij 


sum  of  those  right  children  can  be  rewritten  in  the  form  d2^  where  d  is  an  integer  constant. 
Therefore  the  BMD  nodes  with  top  variable  Xij  have  the  form  shown  in  Figure  4. 

T  ,  /  _  j  Cfc  ^  b  A  ^  ^ 

^  ~  I  0  otherwise  ~  |  otherwise 

When  we  apply  the  procedure  bound_values  to  this  BMD,  the  upper  bound  computed  is 
equal  to  d2^  +  proved  by  induction  on  the  structure 

of  the  BMD.  The  base  case  is  trivial.  For  the  induction  step,  consider  the  node  with  the 
variable  Xij.  There  are  two  cases.  The  first  case  is  when  i  <  m.  In  this  case,  by  induction 
hypothesis,  upper  (left  (f ))  is  equal  to  d2^  +  Since  the  right 

branch  is  a  constant,  upper  (right  (f))  is  Cj2^  .  Therefore, 


upper 


max(upper(left(f)),upper(left(f))  +  upper(right(f))) 
upper(left(f))  +  if  upper(right(f ))  >=  0  then  upper(right(f ))  else  0 

j—1  m  m 

dV  +  EE 42'+  E  4^  +  (if  Ci  >=  0  then  c,-  else  0)2'^ 

l=Q  k=l  fc=i+l 

J  — 1  m  m 

<*2'  +  E  E  42'  +  E  42'  +  42' 

;=0  fc=l  A;=j+1 

i— 1  m  m 

‘'2'+EE42'  +  E42' 

;=0  k—1  k=i 


Similar  proof  can  be  obtained  for  the  other  case  when  i  —  m.  In  the  same  way,  we  are  able  to 
prove  that  the  lower  bound  computed  by  the  procedure  is  d2^  +  ^fc2^  +  YX=i  ^fc2^. 

Hence 


upper 


j—1  m  m 

<*2'+EE42'+E42' 

/=0  ^=1  k=i 
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i  m 

/=0  A:=l 
m 

=  <i2'+E4(2''"'-l) 

fcl 

m 

<  42^'+^ 

k=l 

m 

=  2'’((f  +  2^4) 

k=\ 


lower  = 


> 


> 


J  — 1  m  m 

‘<2'+EE4'2'  +  E42' 

/=0  k=l  k=i 

j  m 

<*2'+EE42' 

/=0  k-l 
m 

<^2^  +  ^4(2^'+i-l) 

k=l 

m 

d2^ +  '£42^+^ 

k=l 

m 

v{d+2Y,4) 

k~l 


If  d  <  —2Y4=i  4’  upper  is  negative  or  0  and  the  algorithm  will  return  constant 

false.  Likewise,  if  d  >  —2YX=\  4i  lower  is  positive  and  the  algorithm  will  return  constant 
true.  Therefore,  the  recursive  calls  to  the  children  can  only  occur  when  —2Y,T=i  4  <  ^ 

—2  YL'k=\  4-  Since  d  is  integer,  there  can  be  at  most  2  x  (—2  Yj1^=\  4  +  2  4)  =  4  Yflk=\  kfcl 

recursive  calls. 

Theorem  2  The  complexity  0/ great er_than_0  for  f  is  0{vfYfJk=\  kfc|)- 

Proof:  There  are  n  levels.  Each  level  takes  ^Yfk=\  recursive  calls.  Each  recursive  call 
takes  time  0{n)  to  compute  the  upper  and  lower  bound  values.  Therefore,  the  total  time  is 

0(n’  k*l).  □ 

In  the  case  of  linear  inequalities,  all  the  new  BMDs  that  are  generated  have  the  form  of 
c  +  p,  where  c  is  a  constant  and  g  is  an  existing  BMD.  If  we  remember  the  constant  without 
actually  adding  it  to  the  BMDs,  we  are  able  to  avoid  generating  new  BMD  nodes.  After 
introducing  this  technique,  the  complexity  for  compute  greater_thaii_0(f )  can  be  further 
reduced  to  0{nYfk=\  |cfc|). 

6.  Model  Checking  for  Word  Level  Properties 

Model  checking  is  a  technique  of  finding  the  set  of  states  in  a  state-transition  graph  where  a 
given  CTL  formula  is  true.  There  is  a  program  called  EMC  that  solves  this  problem  using 
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efficient  graph-traversal  techniques.  If  the  model  is  represented  as  a  state-transition  graph, 
the  complexity  of  the  algorithm  is  linear  in  the  size  of  the  graph  and  in  the  length  of  the 
formula.  The  algorithm  is  quite  fast  in  practice  [6,  7].  However,  an  explosion  in  the  size  of 
the  model  may  occur  when  the  state-transition  graph  is  extracted  from  a  finite  state  concur¬ 
rent  system  that  has  many  processes  or  components.  In  symbolic  model  checking  systems  [5], 
HDDs  are  used  to  represent  the  transition  relations  and  sets  of  states.  The  model  check¬ 
ing  process  is  performed  by  fixpoint  operations  on  these  HDDs.  By  using  symbolic  model 
checking  techniques,  the  size  of  the  transition  systems  that  can  be  verified  has  increased 
dramatically.  Although  such  techniques  have  been  successful  in  verifying  control  logic,  they 
cannot  be  directly  used  for  verifying  arithmetic  circuits.  This  is  because  expressions  that 
involve  words  with  integer  values  cannot  be  handled  properly. 

Now  that  we  are  able  to  handle  arithmetic  operations  and  arithmetic  relations,  it  is 
possible  to  extend  the  symbolic  model  checking  algorithm  so  that  it  can  handle  word  level 
properties.  BDDs  for  the  transition  relation  and  all  propositions  are  generated  in  exactly  the 
same  way  as  in  the  original  symbolic  model  checking  system.  The  hybrid  decision  diagram 
representation  of  a  word  (/o,  /i, . . . ,  /„)  can  be  computed  as 

n 

y~"Xif  fi  then  2*  else  0) 

2  =  1 

using  the  operations  mentioned  above.  Although  this  process  is  exponential  in  the  worst 
case,  it  works  fairly  well  in  practice.  The  hybrid  decision  diagram  representation  of  most 
expressions  can  be  computed  using  the  techniques  discussed  above.  The  only  exception 
is  the  next  operation,  which  can  be  performed  by  variable  substitution.  The  substitution 
replaces  all  of  the  current  state  variables  in  the  hybrid  decision  diagram  for  the  word  by  their 
corresponding  next  state  variables.  The  algorithm  to  obtain  the  BDD  representing  the  set  of 
variable  assignments  that  make  an  algebraic  relation  true  can  be  used  to  compute  the  BDD 
for  atomic  formulas.  After  the  BDD  representation  for  the  atomic  formulas  is  generated, 
the  BDDs  for  static  formulas  and  temporal  formulas  are  computed  in  the  same  way  as  in 
ordinary  model  checking.  In  particular,  the  fixpoint  computations  are  exactly  the  same  in 
both  cases. 

Since  we  have  used  the  same  algorithm  to  compute  the  transition  relation  as  in  the 
ordinary  model  checking  algorithm.  The  word  level  model  checking  algorithm  does  not  work 
well  when  the  transition  relation  does  not  have  a  concise  representation.  As  an  example, 
let’s  consider  a  multiplier.  Let  x  and  y  be  the  input  registers  and  2:  be  the  output  register. 
Suppose  the  transition  relation  can  be  represented  as  follows: 

Tr{x,y,z)  =  Tr'{x,y)  A  (next(2)  =  x  x  y) 

Obviously,  the  BDD  representation  of  the  transition  relation  has  exponential  size  since 
the  BDD  representation  of  the  middle  bit  of  a  multiplier  is  exponential.  This  problem  can 
sometimes  be  avoided  by  conjunctive  decomposition  of  the  transition  relation.  Let  x,  y,  and 
z  be  the  state  variables  that  encode  the  current  state  value  of  x,  y  and  respectively.  Let 
x',  y',  and  z'  be  the  state  variables  that  encode  the  next  state  value  of  x,  y  and  2:.  Suppose 
that  we  want  to  verify  a  word  level  property  of  the  form  f{x^y^  z).  There  may  be  appearances 
of  next(2;);  if  so,  we  can  replace  them  by  a;  x  j/  at  the  word  level  and  obtain  a  new  formula. 
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Hopefully,  the  resulting  formula  will  be  independent  of  and  the  HDD  representation  of  the 
formula  can  be  denoted  as  f'{x,y).  In  this  case,  we  can  use  Tr'  as  the  transition  relation  to 
perform  the  fixpoint  operations.  Even  if  f  depends  on  some  bits  of  5;,  we  can  often  obtain 
a  much  simpler  transition  relation  by  eliminating  the  conjuncts  that  give  the  values  of  bits 
that  are  not  needed. 

7.  Verification  of  an  SRT  radix  4  division  circuit 

By  using  the  word  level  model  checking  system,  we  have  successfully  verified  circuits  for 
division  and  square  root  computation  that  are  based  on  the  SRT  algorithm  used  by  the 
Pentium.  We  are  able  to  handle  both  the  control  logic  and  the  data  paths.  The  division 
circuit  that  we  investigated  has  5  states,  idle,  init,  loop,  last  and  rem.  The  state  transition 
graph  for  these  states  are  shown  in  Figure  5.  This  circuit  can  perform  two  different  operations 


Figure  5:  The  controlling  states  for  the  division  circuit 
division  and  remainder.  When  the  operation  is  division,  the  steps  in  the  computation  are 

idle  init  —>■  loop*  last  — ^  idle 
When  the  operation  is  remainder,  the  steps  are 

idle  init  — >  loop*  last  rem  idle 

Figure  6  gives  the  data  path  of  the  circuit  at  loop  state.  All  the  words  have  70  bits.  However, 
only  leading  bits  of  the  partial  remainder  and  multiples  of  divisor  are  used  to  compute  the 
quotient  digit  for  the  next  cycle. 
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Figure  6:  The  data  path  for  the  division  circuit  at  loop  state 

We  have  verified  the  circuit  with  both  control  logic  and  the  data  path.  All  states  of  the 
finite  state  machine  have  been  checked.  Let  r  be  partial  remainder,  q  be  quotient,  d  be  the 
divisor.  We  have  checked  the  properties 

•  The  expression  r  q  •  d  always  equals  the  dividend. 

•  The  computation  does  not  overflow.  This  is  guaranteed  by  —  |d  <  r  <  |d. 

For  example,  we  have  proved  that  at  init  state,  the  remainder  is  the  dividend  and  the 
quotient  is  zero.  Therefore,  the  initial  value  hr  r  +  q-d  equals  the  dividend.  Moreover,  the 
inequality  mentioned  above  holds  at  the  init  state. 

SPEC  AG (state  =  init  ->  r  =  dividend  &  q  =  0) 

SPEC  AG (state  =  init  ->  (-8)  *  d  <=  3  *  r  <=  8  *  d) 


16 


4  f  * 


gl  (remainder  —  first  7  bits) 
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-2  -2  -2  -2  -1  -1  -1  -1 
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0 
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1 

1 
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2 

2 

2 

2 

2 

-- 

(divisor  - 

--  first  4  bits) 

A 

=  - 

(2 

-  g2  * 

gl) 

B  =  -(2  -  g2) 
C  =  1  +  g2 
D  =  -(1  -  g2) 
E  =  g2 


Table  1:  The  quotient  prediction  table  for  the  division  circuit 


We  have  also  proved  that  the  inequality  always  holds  in  the  loop  states,  and  that  r  +  q-d 
is  invariant  with  respect  to  left  shifting. 

SPEC  AG(state  =  loop  ->  A[((-8)  *  d  <=  3  *  r  <=  8  *  d)  U  state  =  last]) 

SPEC  AG((state  =  loop  &  ((-8)  *  d  <=  3  *  r  <=  8  *  d)) 

->  A((r  +  q  *  r)  *  4  =  next(r  +  q  *  r))) 

The  above  properties  are  sufficient  to  guarantee  that  in  the  loop  state,  r  +  q-d  always  equals 
the  dividend  after  left  shifting.  Similar  properties  are  proved  for  the  last  and  rem  states.  In 
addition,  we  have  verified  a  circuit  for  computing  square  roots.  The  total  number  of  state 
variables  for  the  circuit  that  we  verify  exceeds  600  (which  is  much  larger  than  any  circuit 
previously  checked  by  SMV). 


8.  Directions  of  Future  Research 

We  have  verified  a  floating  point  division  circuit  based  on  the  SRT  algorithm  using  the  word 
level  model  checker.  We  plan  to  experiment  on  more  circuits.  Possible  applications  include 
the  floating  point  multiplier,  floating  addition,  etc. 
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Our  algorithm  for  solving  arithmetic  relations  works  extremely  well  for  linear  equations 
and  inequalities.  Although  the  current  algorithm  can  handle  some  nonlinear  equations  and 
inequalities  as  well,  it  may  be  possible  to  extend  this  algorithm  or  to  find  a  new  algorithm 
that  can  handle  more  complicated  nonlinear  equations  and  inequalities. 

There  is  still  one  problem  with  this  technique.  It  can  only  be  used  for  circuits  that 
maintain  the  exact  value  of  the  data.  When  rounding  occurs,  the  functions  become  less 
regular  and  the  size  of  hybrid  BDD  representation  is  likely  to  explode.  In  these  cases,  the 
new  value  obtained  after  rounding  can  be  described  by  a  system  of  inequalities,  and  the 
verification  process  reduces  to  solving  such  systems.  In  another  research  project,  we  have 
built  a  theorem  prover  based  on  symbolic  computation  system  Mathematica.  The  theorem 
prover  is  called  Analytica  [9]  and  is  quite  good  at  handling  equations  and  inequalities.  We 
believe  that  after  some  modification,  Analytica  will  be  useful  for  solving  the  inequalities  that 
arise  because  of  rounding  in  computer  arithmetic. 


References 

[1]  R.  I.  Bahar,  E.  A.  Frohm,  C.  M.  Gaona,  G.  D.  Hachtel,  E.  Macii,  A.  Pardo,  and 
F.  Somenzi.  Algebraic  decision  diagrams  and  their  applications.  In  Proceedings  of  the 
1993  Proceedings  of  the  IEEE  International  Conference  on  Computer  Aided  Design. 
IEEE  Computer  Society  Press,  November  1993. 

[2]  R.  Bellman.  Introcution  to  matrix  analysis,  chapter  5.  McGraw-Hill,  1970. 

[3]  R.  E.  Bryant.  Graph-based  algorithms  for  boolean  function  manipulation.  IEEE  Trans¬ 
actions  on  Computers,  C-35(8),  1986. 

[4]  R.  E.  Bryant  and  Y.  A.  Chen.  Verification  of  arithmetic  functions  with  binary  moment 
diagrams.  In  Proceedings  of  the  32nd  ACM/IEEE  Design  Automation  Conference.  IEEE 
Computer  Society  Press,  June  1995. 

[5]  J.  R.  Burch,  E.  M.  Clarke,  K.  L.  McMillan,  D.  L.  Dill,  and  L.  J.  Hwang.  Symbolic 
model  checking:  10^°  states  and  beyond.  Information  and  Computation,  98(2):  142-170, 
June  1992. 

[6]  E.  M.  Clarke  and  E.  A.  Emerson.  Synthesis  of  synchronization  skeletons  for  branching 
time  temporal  logic.  In  Logic  of  Programs:  Workshop,  Yorktown  Heights,  NY,  May 
1981,  volume  131  of  Lecture  Notes  in  Computer  Science.  Springer- Verlag,  1981. 

[7]  E.  M.  Clarke,  E.  A.  Emerson,  and  A.  P.  Sistla.  Automatic  verification  of  finite-state 
concurrent  systems  using  temporal  logic  specifications.  ACM  Transactions  on  Program¬ 
ming  Languages  and  Systems,  8(2):244-263,  1986. 

[8]  E.  M.  Clarke,  K.  McMillan,  X.  Zhao,  M.  Fujita,  and  J.  Yang.  Spectral  transforms  for 
large  boolean  functions  with  applications  to  technology  mapping.  In  Proceedings  of  the 
30th  ACM/IEEE  Design  Automation  Conference.  IEEE  Computer  Society  Press,  June 
1993. 


18 


[9]  E.  M.  Clarke  and  X.  Zhao.  Analytica:  A  theorem  prover  for  mathematica.  The  Journal 
of  Mathematical  3(1),  1993. 

[10]  R.  Drechsler,  A.  Sarabi,  M.  Theobald,  B.  Becker,  and  M.  A.  Perkowski.  Efficient  rep¬ 
resentation  and  manipulation  of  switching  functions  based  on  ordered  kroenecker  func¬ 
tional  decision  diagrams.  In  Proceedings  of  the  32nd  ACM/IEEE  Design  Automation 
Conference.  IEEE  Computer  Society  Press,  June  1994. 

[11]  K.  L.  McMillan.  Symbolic  Model  Checking.  Kluwer  Academic  Publishers,  1993.  To 
appear. 

[12]  D.  E.  Muller.  Application  of  boolean  algebra  to  switching  circuit  design  and  error 
detection.  IRE  Trans.,  1:6-12,  1954. 


19 


